ee56f906f6cec2b4b73a59ce4f405ea841f5fce7b58cd98c0e4ed866e35ec16dN

Sharing

Copy URL

Twitter E-mail

General

Target

ee56f906f6cec2b4b73a59ce4f405ea841f5fce7b58cd98c0e4ed866e35ec16dN
Size

50KB
MD5

1dc343b9293a86bd263439c7dfa0cab0
SHA1

2e055b3aa1953f2c5cb32297f1f28a3601b32496
SHA256

ee56f906f6cec2b4b73a59ce4f405ea841f5fce7b58cd98c0e4ed866e35ec16d
SHA512

32f36c0500db6dae5830fe7c29c47b1e96311ddd8688a81be84633e2d04563299c15e4a0701c86865d341551f1e095d17b65c8ce750fa6b093cb958e9b95b6e7
SSDEEP

1536:A+L7URa0MP9MV2Mac0LEFDYykJ14p7DpXR3G:jL7UDgMaJEFDYvHqfj3G

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/wmiapsrv.exe

Files

ee56f906f6cec2b4b73a59ce4f405ea841f5fce7b58cd98c0e4ed866e35ec16dN
.cab
wmiapsrv.exe
.exe windows:5 windows x86 arch:x86

99250b7f2f051041953ad2d17bd56c6f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

WmiApSrv.pdb

Imports

msvcrt

_wcsicmp
wcsrchr
_vsnwprintf
_CxxThrowException
_wtol
realloc
_wtoi
wcslen
wcscmp
_controlfp
_onexit
__dllonexit
??1type_info@@UAE@XZ
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
wcscspn
wcsspn
iswdigit
wcschr
?terminate@@YAXXZ
vswprintf
memmove
_wcsrev
_wcslwr
_wcsupr
wcsstr
wcspbrk
mbstowcs
wcscoll
_acmdln
exit
_cexit
_XcptFilter
_exit
_c_exit
memset
free
memcpy
__CxxFrameHandler
??2@YAPAXI@Z
??3@YAXPAX@Z
malloc

advapi32

RegCreateKeyExA
RegSetValueExA
RegQueryValueExA
RegDeleteValueA
RegDeleteKeyA
RegEnumValueW
RegEnumKeyA
RegQueryInfoKeyW
RegOpenKeyW
RegQueryValueExW
RegEnumKeyW
RegEnumValueA
RegCloseKey
RegDeleteKeyW
RegEnumKeyExW
RegOpenKeyExW
RegDeleteValueW
RegSetValueExW
RegCreateKeyExW
CloseServiceHandle
QueryServiceStatus
QueryServiceConfigW
OpenServiceW
OpenSCManagerW
ConvertStringSecurityDescriptorToSecurityDescriptorW
InitializeSecurityDescriptor
MakeAbsoluteSD
SetServiceStatus
RegisterServiceCtrlHandlerW
DeleteService
ControlService
StartServiceCtrlDispatcherW
ChangeServiceConfig2W
CreateServiceW
RegOpenCurrentUser
RegQueryInfoKeyA
RegOpenKeyExA

kernel32

lstrlenW
ReleaseSemaphore
WaitForSingleObject
SwitchToThread
GetLastError
GetCurrentProcess
InterlockedIncrement
InterlockedDecrement
InitializeCriticalSection
SetEvent
ResetEvent
EnterCriticalSection
TryEnterCriticalSection
LocalAlloc
lstrcmpiW
GetCommandLineW
CreateMutexW
CreateEventW
DeleteCriticalSection
ReleaseMutex
InterlockedCompareExchange
GetModuleHandleW
GetModuleFileNameW
Sleep
WaitForMultipleObjects
UnmapViewOfFile
lstrcmpW
FlushViewOfFile
MapViewOfFile
CreateFileMappingW
GetExitCodeProcess
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoA
CreateFileW
WriteFile
WideCharToMultiByte
GetSystemDefaultLCID
GetSystemDirectoryW
GetProcAddress
LeaveCriticalSection
CloseHandle
FormatMessageW
FormatMessageA
OpenEventW
SetLastError
OpenProcess
FreeLibrary
LoadLibraryW
ExpandEnvironmentStringsW
RaiseException
MultiByteToWideChar
GetVersionExA
CreateSemaphoreW
CreateDirectoryW
DeleteFileW
MoveFileExW
GetLocaleInfoW
lstrlenA
GetVersionExW
LocalFree

user32

CharNextW
LoadStringW

ntdll

NtQueryObject
RtlGetAce
RtlGetDaclSecurityDescriptor
RtlEqualSid
RtlGetOwnerSecurityDescriptor
NtQuerySecurityObject
iswspace
atol

oleaut32

SysFreeString
SysAllocString
VariantChangeType
SysStringLen
VariantClear
SafeArrayDestroy
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayGetLBound
SafeArrayGetUBound
SysAllocStringLen

ole32

CoInitializeEx
CoUninitialize
CoCreateInstance
CoInitializeSecurity
CoFreeUnusedLibraries
CoSetProxyBlanket

wbemcomn

?Enter@CStaticCritSec@@QAEXXZ
?Leave@CStaticCritSec@@QAEXXZ
?Throttle@@YGJKKKKK@Z
??1CStaticCritSec@@QAE@XZ
??0CStaticCritSec@@QAE@XZ
?anyFailure@CStaticCritSec@@SGHXZ

loadperf

LoadPerfCounterTextStringsW
UnloadPerfCounterTextStringsW

Exports

Exports

??0CHPtrArray@@QAE@XZ
??0CHString@@QAE@ABV0@@Z
??0CHString@@QAE@GH@Z
??0CHString@@QAE@PBD@Z
??0CHString@@QAE@PBE@Z
??0CHString@@QAE@PBG@Z
??0CHString@@QAE@PBGH@Z
??0CHString@@QAE@XZ
??0CHStringArray@@QAE@XZ
??0CRegistry@@QAE@ABV0@@Z
??0CRegistry@@QAE@XZ
??0CRegistrySearch@@QAE@ABV0@@Z
??0CRegistrySearch@@QAE@XZ
??1CHPtrArray@@QAE@XZ
??1CHString@@QAE@XZ
??1CHStringArray@@QAE@XZ
??1CRegistry@@QAE@XZ
??1CRegistrySearch@@QAE@XZ
??4CHPtrArray@@QAEAAV0@ABV0@@Z
??4CHString@@QAEABV0@ABV0@@Z
??4CHString@@QAEABV0@D@Z
??4CHString@@QAEABV0@G@Z
??4CHString@@QAEABV0@PAV0@@Z
??4CHString@@QAEABV0@PBD@Z
??4CHString@@QAEABV0@PBE@Z
??4CHString@@QAEABV0@PBG@Z
??4CHStringArray@@QAEAAV0@ABV0@@Z
??4CRegistry@@QAEAAV0@ABV0@@Z
??4CRegistrySearch@@QAEAAV0@ABV0@@Z
??ACHPtrArray@@QAEAAPAXH@Z
??ACHPtrArray@@QBEPAXH@Z
??ACHString@@QBEGH@Z
??ACHStringArray@@QAEAAVCHString@@H@Z
??ACHStringArray@@QBE?AVCHString@@H@Z
??BCHString@@QBEPBGXZ
??H@YG?AVCHString@@ABV0@0@Z
??H@YG?AVCHString@@ABV0@G@Z
??H@YG?AVCHString@@ABV0@PBG@Z
??H@YG?AVCHString@@GABV0@@Z
??H@YG?AVCHString@@PBGABV0@@Z
??YCHString@@QAEABV0@ABV0@@Z
??YCHString@@QAEABV0@D@Z
??YCHString@@QAEABV0@G@Z
??YCHString@@QAEABV0@PBG@Z
?Add@CHPtrArray@@QAEHPAX@Z
?Add@CHStringArray@@QAEHPBG@Z
?AllocBeforeWrite@CHString@@IAEXH@Z
?AllocBuffer@CHString@@IAEXH@Z
?AllocCopy@CHString@@IBEXAAV1@HHH@Z
?AllocSysString@CHString@@QBEPAGXZ
?Append@CHPtrArray@@QAEHABV1@@Z
?Append@CHStringArray@@QAEHABV1@@Z
?AssignCopy@CHString@@IAEXHPBG@Z
?CheckAndAddToList@CRegistrySearch@@AAEXPAVCRegistry@@VCHString@@1AAVCHPtrArray@@11H@Z
?Close@CRegistry@@QAEXXZ
?CloseSubKey@CRegistry@@AAEXXZ
?Collate@CHString@@QBEHPBG@Z
?Compare@CHString@@QBEHPBG@Z
?CompareNoCase@CHString@@QBEHPBG@Z
?ConcatCopy@CHString@@IAEXHPBGH0@Z
?ConcatInPlace@CHString@@IAEXHPBG@Z
?Copy@CHPtrArray@@QAEXABV1@@Z
?Copy@CHStringArray@@QAEXABV1@@Z
?CopyBeforeWrite@CHString@@IAEXXZ
?CreateOpen@CRegistry@@QAEJPAUHKEY__@@PBGPAGKKPAU_SECURITY_ATTRIBUTES@@PAK@Z
?DeleteCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBG@Z
?DeleteCurrentKeyValue@CRegistry@@QAEKPBG@Z
?DeleteKey@CRegistry@@QAEJPAVCHString@@@Z
?DeleteValue@CRegistry@@QAEJPBG@Z
?ElementAt@CHPtrArray@@QAEAAPAXH@Z
?ElementAt@CHStringArray@@QAEAAVCHString@@H@Z
?Empty@CHString@@QAEXXZ
?EnumerateAndGetValues@CRegistry@@QAEJAAKAAPAGAAPAE@Z
?Find@CHString@@QBEHG@Z
?Find@CHString@@QBEHPBG@Z
?FindOneOf@CHString@@QBEHPBG@Z
?Format@CHString@@QAAXIZZ
?Format@CHString@@QAAXPBGZZ
?FormatMessageW@CHString@@QAAXIZZ
?FormatMessageW@CHString@@QAAXPBGZZ
?FormatV@CHString@@QAEXPBGPAD@Z
?FreeExtra@CHPtrArray@@QAEXXZ
?FreeExtra@CHString@@QAEXXZ
?FreeExtra@CHStringArray@@QAEXXZ
?FreeSearchList@CRegistrySearch@@QAEHHAAVCHPtrArray@@@Z
?GetAllocLength@CHString@@QBEHXZ
?GetAt@CHPtrArray@@QBEPAXH@Z
?GetAt@CHString@@QBEGH@Z
?GetAt@CHStringArray@@QBE?AVCHString@@H@Z
?GetBuffer@CHString@@QAEPAGH@Z
?GetBufferSetLength@CHString@@QAEPAGH@Z
?GetClassNameW@CRegistry@@QAEPAGXZ
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGPAEPAK@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGPAEPAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z
?GetCurrentRawKeyValue@CRegistry@@AAEKPAUHKEY__@@PBGPAXPAK3@Z
?GetCurrentRawSubKeyValue@CRegistry@@AAEKPBGPAXPAK2@Z
?GetCurrentSubKeyCount@CRegistry@@QAEKXZ
?GetCurrentSubKeyName@CRegistry@@QAEKAAVCHString@@@Z
?GetCurrentSubKeyPath@CRegistry@@QAEKAAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAK@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGPAXPAK@Z
?GetData@CHPtrArray@@QAEPAPAXXZ
?GetData@CHPtrArray@@QBEPAPBXXZ
?GetData@CHString@@IBEPAUCHStringData@@XZ
?GetData@CHStringArray@@QAEPAVCHString@@XZ
?GetData@CHStringArray@@QBEPBVCHString@@XZ
?GetLength@CHString@@QBEHXZ
?GetLongestClassStringSize@CRegistry@@QAEKXZ
?GetLongestSubKeySize@CRegistry@@QAEKXZ
?GetLongestValueData@CRegistry@@QAEKXZ
?GetLongestValueName@CRegistry@@QAEKXZ
?GetSize@CHPtrArray@@QBEHXZ
?GetSize@CHStringArray@@QBEHXZ
?GetUpperBound@CHPtrArray@@QBEHXZ
?GetUpperBound@CHStringArray@@QBEHXZ
?GetValueCount@CRegistry@@QAEKXZ
?GethKey@CRegistry@@QAEPAUHKEY__@@XZ
?Init@CHString@@IAEXXZ
?InsertAt@CHPtrArray@@QAEXHPAV1@@Z
?InsertAt@CHPtrArray@@QAEXHPAXH@Z
?InsertAt@CHStringArray@@QAEXHPAV1@@Z
?InsertAt@CHStringArray@@QAEXHPBGH@Z
?IsEmpty@CHString@@QBEHXZ
?Left@CHString@@QBE?AV1@H@Z
?LoadStringW@CHString@@IAEHIPAGI@Z
?LoadStringW@CHString@@QAEHI@Z
?LocateKeyByNameOrValueName@CRegistrySearch@@QAEHPAUHKEY__@@PBG1PAPBGKAAVCHString@@3@Z
?LockBuffer@CHString@@QAEPAGXZ
?MakeLower@CHString@@QAEXXZ
?MakeReverse@CHString@@QAEXXZ
?MakeUpper@CHString@@QAEXXZ
?Mid@CHString@@QBE?AV1@H@Z
?Mid@CHString@@QBE?AV1@HH@Z
?NextSubKey@CRegistry@@QAEKXZ
?Open@CRegistry@@QAEJPAUHKEY__@@PBGK@Z
?OpenAndEnumerateSubKeys@CRegistry@@QAEJPAUHKEY__@@PBGK@Z
?OpenCurrentUser@CRegistry@@QAEKPBGK@Z
?OpenLocalMachineKeyAndReadValue@CRegistry@@QAEJPBG0AAVCHString@@@Z
?OpenSubKey@CRegistry@@AAEKXZ
?PrepareToReOpen@CRegistry@@AAEXXZ
?Release@CHString@@IAEXXZ
?Release@CHString@@KGXPAUCHStringData@@@Z
?ReleaseBuffer@CHString@@QAEXH@Z
?RemoveAll@CHPtrArray@@QAEXXZ
?RemoveAll@CHStringArray@@QAEXXZ
?RemoveAt@CHPtrArray@@QAEXHH@Z
?RemoveAt@CHStringArray@@QAEXHH@Z
?ReverseFind@CHString@@QBEHG@Z
?RewindSubKeys@CRegistry@@QAEXXZ
?Right@CHString@@QBE?AV1@H@Z
?SafeStrlen@CHString@@KGHPBG@Z
?SearchAndBuildList@CRegistrySearch@@QAEHVCHString@@AAVCHPtrArray@@00HPAUHKEY__@@@Z
?SetAt@CHPtrArray@@QAEXHPAX@Z
?SetAt@CHString@@QAEXHG@Z
?SetAt@CHStringArray@@QAEXHPBG@Z
?SetAtGrow@CHPtrArray@@QAEXHPAX@Z
?SetAtGrow@CHStringArray@@QAEXHPBG@Z
?SetCHStringResourceHandle@@YGXPAUHINSTANCE__@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z
?SetCurrentKeyValueExpand@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?SetDefaultValues@CRegistry@@AAEXXZ
?SetPlatformID@CRegistry@@CGHXZ
?SetSize@CHPtrArray@@QAEXHH@Z
?SetSize@CHStringArray@@QAEXHH@Z
?SpanExcluding@CHString@@QBE?AV1@PBG@Z
?SpanIncluding@CHString@@QBE?AV1@PBG@Z
?TrimLeft@CHString@@QAEXXZ
?TrimRight@CHString@@QAEXXZ
?UnlockBuffer@CHString@@QAEXXZ
?myRegCreateKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKPAGKKPAU_SECURITY_ATTRIBUTES@@PAPAU2@PAK@Z
?myRegDeleteKey@CRegistry@@AAEJPAUHKEY__@@PBG@Z
?myRegDeleteValue@CRegistry@@AAEJPAUHKEY__@@PBG@Z
?myRegEnumKey@CRegistry@@AAEJPAUHKEY__@@KPAGK@Z
?myRegEnumValue@CRegistry@@AAEJPAUHKEY__@@KPAGPAK22PAE2@Z
?myRegOpenKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPAPAU2@@Z
?myRegQueryInfoKey@CRegistry@@AAEJPAUHKEY__@@PAGPAK22222222PAU_FILETIME@@@Z
?myRegQueryValueEx@CRegistry@@AAEJPAUHKEY__@@PBGPAK2PAE2@Z
?myRegSetValueEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPBEK@Z
?s_dwPlatform@CRegistry@@0KA
?s_fPlatformSet@CRegistry@@0HA

Sections

.text
Size: 117KB - Virtual size: 116KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

99250b7f2f051041953ad2d17bd56c6f

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

advapi32

kernel32

user32

ntdll

oleaut32

ole32

wbemcomn

loadperf

Exports

Exports

Sections

.text Size: 117KB - Virtual size: 116KB

.data Size: 4KB - Virtual size: 6KB

.rsrc Size: 1KB - Virtual size: 1KB

.text
Size: 117KB - Virtual size: 116KB

.data
Size: 4KB - Virtual size: 6KB

.rsrc
Size: 1KB - Virtual size: 1KB